b'  DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n\n                  Letter Report:\n\nDHS Chief Information Officer Remediation Plan\n\n\n\n\n         Office of Information Technology\n\nOIG-06-11                          November 2005\n                                             1\n\x0c                                                                                   Office of Inspector General\n\n                                                                                   U.S. Department of Homeland Security\n                                                                                   Washington, DC 20528\n\n\n\n\n                                             November 30, 2005\n\n\nThe Honorable Jerry Lewis, Chairman\nCommittee on Appropriations\nU.S. House of Representatives\nH-218 Capitol Building\nWashington, DC 20515-6015\n\nDear Chairman Lewis:\n\nThis letter provides the results of our review of the Chief Information Officer\xe2\x80\x99s (CIO) plan to\naddress the weaknesses in the Department of Homeland Security\xe2\x80\x99s (DHS) information security, as\ndirected in the House Report 109-079 \xe2\x80\x93 Department of Homeland Security Appropriations Bill,\n2006. The House report identified four significant challenges that DHS faces in securing its\ninformation systems. Specifically, according to the House report, \xe2\x80\x9cThe Department lacks a complete\nand accurate inventory of its information systems; has not tested the contingency plans for the\nmajority of its information systems that it knows it has; is below the government-wide average in\nreviewing contractor operations, \xe2\x80\xa6 and, has a poor certification and accreditation process that is not\nperformed consistently across the Department.\xe2\x80\x9d The Committee directed us to review the CIO\xe2\x80\x99s\nplan and report back to the Committee by November 30, 2005, on the thoroughness of the CIO\xe2\x80\x99s\nplan.\n\n                                             RESULTS OF REVIEW\n\nThe Department completed actions to address one of the challenges identified by the Committee\nprior to developing its plan. The Department had developed a complete and accurate inventory of its\nsensitive but unclassified and collateral classified systems. The responsibility for the inventory of\nthe Department\xe2\x80\x99s intelligence systems falls under the purview of the DHS Office of Security. As a\nresult, the CIO has not included these systems in its inventory. During our evaluation of DHS\xe2\x80\x99\nsecurity program for its intelligence systems, as required by the Federal Information Security\nManagement Act of 2002 (FISMA) for FY2005, we determined that the intelligence systems\ninventory was complete and accurate. 1\n\nWe reviewed the initial draft of the CIO\xe2\x80\x99s remediation plan and provided our detailed assessment to\nthe DHS Chief Information Security Officer (CISO) on October 28, 2005, identifying parts of the\nplan that were either incomplete or needed additional clarification to address the challenges\nidentified by the Committee. Based on our review of the revised plan (received on\nNovember 9, 2005), we believe that the CIO\xe2\x80\x99s remediation plan thoroughly addresses one of the\n\n1\n    Evaluation of DHS\xe2\x80\x99 Security Program and Practices For Its Intelligence Systems, dated August 2005 (OIG-05-34).\n\x0cthree remaining challenges and partially addresses the two other challenges identified by the\nCommittee.\n\nThe DHS CIO developed a one-year remediation plan, Fiscal Year 2006 DHS Information Security\nCertification and Accreditation Remediation Plan, to address the three remaining challenges\nidentified in the Committee\xe2\x80\x99s report, including the Department\xe2\x80\x99s goal of 100% certification and\naccreditation of all information technology systems. According to the CIO, the remediation plan\nwas not intended to address all of the Department\xe2\x80\x99s security weaknesses. Accordingly, we limited\nour evaluation of the plan to only the challenges identified by the Committee.\n\nThe remediation plan thoroughly addresses the challenge of a poor certification and accreditation\nprocess. Specifically, under the plan, the CIO developed a certification and accreditation process\nthat can be performed consistently across the Department and enforced by the CIO. The plan, if\nfully implemented by all DHS\xe2\x80\x99 components and the CISO, should give the CIO assurance that all of\nits non-intelligence systems that have been identified as having a quality certification and\naccreditation package, have in fact met all of the documentation and testing required to accredit a\nsystem.\n\nHowever, the plan does not completely address two challenges identified by the Committee. The\nplan will only ensure that by September 30, 2006, all systems that have been accredited have a tested\ncontingency plan as part of its certification and accreditation, and all that contractor-operated\nsystems have been reviewed at least once as part of the certification and accreditation process. In\naddition, the plan does not address the identified weaknesses of testing contingency plans on a\nperiodic basis, or performing annual reviews of contractor operated systems, as required by the\nOffice of Management and Budget. Further, the plan does not address weaknesses in the\ninformation security of the Department\xe2\x80\x99s intelligence systems including contingency plan testing and\ncertification and accreditation. While it is noted in the plan that these systems are not under the\npurview of the CIO, the Committee report did not specifically exclude intelligence systems from its\nrequest. The CISO believes, however, that the plan specifically addresses all the challenges\nidentified by the Committee, including those that we believe were only partially addressed.\n\n\n                  DISCUSSION WITH MANAGEMENT AND FOLLOW-UP\n\nWe discussed the results of this review with the DHS CISO on November 14, 2005, who\nacknowledged that the plan as originally drafted, needed improvement. The CISO incorporated\nmany of our comments in the updated version of the remediation plan. For the issues described\nabove regarding the periodic testing of contingency plans, annual reviews of contractor operated\nsystems, and weaknesses in the information security of the Department\xe2\x80\x99s intelligence systems, we\nwill continue to work with the CIO, and also through our annual evaluation of the Department\xe2\x80\x99s\nsecurity programs, as required by FISMA, to address these challenges.\n\x0cShould you have questions concerning this report, please call me, or your staff may call Frank\nDeffer, Assistant Inspector General for Information Technology, at (202) 254-4100.\n\n                                        Sincerely,\n\n\n\n\n                                        Richard L. Skinner\n                                        Inspector General\n\ncc: The Honorable David Obey\n    Mr. Scott Charbo, DHS Chief Information Officer\n\x0c                                                                                   Office of Inspector General\n\n                                                                                   U.S. Department of Homeland Security\n                                                                                   Washington, DC 20528\n\n\n\n\n                                             November 30, 2005\n\n\nThe Honorable David Obey\nCommittee on Appropriations\nU.S. House of Representatives\n1016 Longworth Building\nWashington, DC 20515-6015\n\nDear Congressman Obey:\n\nThis letter provides the results of our review of the Chief Information Officer\xe2\x80\x99s (CIO) plan to\naddress the weaknesses in the Department of Homeland Security\xe2\x80\x99s (DHS) information security, as\ndirected in the House Report 109-079 \xe2\x80\x93 Department of Homeland Security Appropriations Bill,\n2006. The House report identified four significant challenges that DHS faces in securing its\ninformation systems. Specifically, according to the House report, \xe2\x80\x9cThe Department lacks a complete\nand accurate inventory of its information systems; has not tested the contingency plans for the\nmajority of its information systems that it knows it has; is below the government-wide average in\nreviewing contractor operations, \xe2\x80\xa6 and, has a poor certification and accreditation process that is not\nperformed consistently across the Department.\xe2\x80\x9d The Committee directed us to review the CIO\xe2\x80\x99s\nplan and report back to the Committee by November 30, 2005, on the thoroughness of the CIO\xe2\x80\x99s\nplan.\n\n                                             RESULTS OF REVIEW\n\nThe Department completed actions to address one of the challenges identified by the Committee\nprior to developing its plan. The Department had developed a complete and accurate inventory of its\nsensitive but unclassified and collateral classified systems. The responsibility for the inventory of\nthe Department\xe2\x80\x99s intelligence systems falls under the purview of the DHS Office of Security. As a\nresult, the CIO has not included these systems in its inventory. During our evaluation of DHS\xe2\x80\x99\nsecurity program for its intelligence systems, as required by the Federal Information Security\nManagement Act of 2002 (FISMA) for FY2005, we determined that the intelligence systems\ninventory was complete and accurate.1\n\nWe reviewed the initial draft of the CIO\xe2\x80\x99s remediation plan and provided our detailed assessment to\nthe DHS Chief Information Security Officer (CISO) on October 28, 2005, identifying parts of the\nplan that were either incomplete or needed additional clarification to address the challenges\nidentified by the Committee. Based on our review of the revised plan (received on\nNovember 9, 2005), we believe that the CIO\xe2\x80\x99s remediation plan thoroughly addresses one of the\n\n1\n    Evaluation of DHS\xe2\x80\x99 Security Program and Practices For Its Intelligence Systems, dated August 2005 (OIG-05-34).\n\x0cthree remaining challenges and partially addresses the two other challenges identified by the\nCommittee.\n\nThe DHS CIO developed a one-year remediation plan, Fiscal Year 2006 DHS Information Security\nCertification and Accreditation Remediation Plan, to address the three remaining challenges\nidentified in the Committee\xe2\x80\x99s report, including the Department\xe2\x80\x99s goal of 100% certification and\naccreditation of all information technology systems. According to the CIO, the remediation plan\nwas not intended to address all of the Department\xe2\x80\x99s security weaknesses. Accordingly, we limited\nour evaluation of the plan to only the challenges identified by the Committee.\n\nThe remediation plan thoroughly addresses the challenge of a poor certification and accreditation\nprocess. Specifically, under the plan, the CIO developed a certification and accreditation process\nthat can be performed consistently across the Department and enforced by the CIO. The plan, if\nfully implemented by all DHS\xe2\x80\x99 components and the CISO, should give the CIO assurance that all of\nits non-intelligence systems that have been identified as having a quality certification and\naccreditation package, have in fact met all of the documentation and testing required to accredit a\nsystem.\n\nHowever, the plan does not completely address two challenges identified by the Committee. The\nplan will only ensure that by September 30, 2006, all systems that have been accredited have a tested\ncontingency plan as part of its certification and accreditation, and all that contractor-operated\nsystems have been reviewed at least once as part of the certification and accreditation process. In\naddition, the plan does not address the identified weaknesses of testing contingency plans on a\nperiodic basis, or performing annual reviews of contractor operated systems, as required by the\nOffice of Management and Budget. Further, the plan does not address weaknesses in the\ninformation security of the Department\xe2\x80\x99s intelligence systems including contingency plan testing and\ncertification and accreditation. While it is noted in the plan that these systems are not under the\npurview of the CIO, the Committee report did not specifically exclude intelligence systems from its\nrequest. The CISO believes, however, that the plan specifically addresses all the challenges\nidentified by the Committee, including those that we believe were only partially addressed.\n\n\n                  DISCUSSION WITH MANAGEMENT AND FOLLOW-UP\n\nWe discussed the results of this review with the DHS CISO on November 14, 2005, who\nacknowledged that the plan as originally drafted, needed improvement. The CISO incorporated\nmany of our comments in the updated version of the remediation plan. For the issues described\nabove regarding the periodic testing of contingency plans, annual reviews of contractor operated\nsystems, and weaknesses in the information security of the Department\xe2\x80\x99s intelligence systems, we\nwill continue to work with the CIO, and also through our annual evaluation of the Department\xe2\x80\x99s\nsecurity programs, as required by FISMA, to address these challenges.\n\x0cShould you have questions concerning this report, please call me, or your staff may call Frank\nDeffer, Assistant Inspector General for Information Technology, at (202) 254-4100.\n\n                                        Sincerely,\n\n\n\n\n                                        Richard L. Skinner\n                                        Inspector General\n\ncc: The Honorable Jerry Lewis\n    Mr. Scott Charbo, DHS Chief Information Officer\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c'